ccna discovery 4.0 designing and supporting computer networks
DESCRIPTION
CCNA Discovery 4.0 Designing and Supporting Computer Networks. Introducing Network Design Concepts– Chapter 1. INTRODUCTION. - PowerPoint PPT PresentationTRANSCRIPT
© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicITE PC v4.0Chapter 1 1
CCNA Discovery 4.0Designing and Supporting Computer Networks
Introducing Network Design Concepts– Chapter 1
ITE PC v4.0Chapter 1 2© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
INTRODUCTION
Swelling user populations have catapulted scalability to the top of criteria for Business Intelligence solutions…Employees in every department and division are accountable for profitability, managers at every level are accountable for operational execution, and executives are accountable for strategy and regulatory compliance. As a result, IT is being held accountable for providing a scalable, cost-effective infrastructure to access and integrate data from a wide range of sources, generate insightful information, and deliver that information inside and outside the enterprise to every stakeholder responsible for managing business performance.
ITE PC v4.0Chapter 1 3© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
INTRODUCTION
ITE PC v4.0Chapter 1 4© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Objectives
ITE PC v4.0Chapter 1 5© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Network Design Overview
Network Requirements•around-the-clock customer service•business networks must be available nearly 100 percent of the time
Building a Good Network•result of hard work by network designers and technicians
ITE PC v4.0Chapter 1 6© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Network Design OverviewNetwork Requirements
•Should stay up all the time•Reliably deliver applications and provide reasonable response times from any host to any host•Secure - protect the data that is transmitted over it, as well as data stored on the devices that connect to it •Easy to modify to adapt to network growth and general business changes•Finding and fixing a problem should not be too time-consuming
ITE PC v4.0Chapter 1 7© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
The benefits of Hierarchical Network Design
Hierarchical Network Design
Used to group devices into multiple networksorganized in a layered approach
Three basic layers:
Core Layer - Connects Distribution Layer devices
Distribution Layer - Interconnects the smaller local networks
Access Layer - Provides connectivity for network hosts and end devices
ITE PC v4.0Chapter 1 8© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
ITE PC v4.0Chapter 1 9© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Network Design Overview
ITE PC v4.0Chapter 1 10© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
The benefits of Hierarchical Network Design
Enterprise Campus - This area contains the network elements required for independent operation within a single campus or branch location.
Server Farm - A component of the enterprise campus, the data center server farm protects the server resources and provides redundant, reliable high-speed connectivity.
Enterprise Edge - As traffic comes into the campus network, this area filters traffic from the external resources and routes it into the enterprise network.
ITE PC v4.0Chapter 1 11© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
The benefits of Hierarchical Network Design
ITE PC v4.0Chapter 1 12© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
The benefits of Hierarchical Network Design
ITE PC v4.0Chapter 1 13© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Network Design MethodologiesLarge network design projects are normally divided into three distinct steps:
Step 1: Identify the network requirements.
Step 2: Characterize the existing network.
Step 3: Design the network topology and solutions
ITE PC v4.0Chapter 1 14© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Network Design MethodologiesCommon strategy
top-down approach - network applications and service requirements are identified & then the network is designed to support them
when the design is complete, a prototype or proof-of-concept test is performed = ensures that the new design functions as expected before it is implemented.
ITE PC v4.0Chapter 1 15© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Network Design Methodologies
Impacting the Entire Network
Network requirements that impact the entire network include:
– Adding new network applications and making major changes to existing applications, such as database or DNS structure changes
– Improving the efficiency of network addressing or routing protocol changes
– Integrating new security measures
– Adding new network services, such as voice traffic, content networking, and storage networking
– Relocating servers to a data center server farm
ITE PC v4.0Chapter 1 16© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Network Design Methodologies
Impacting a Portion of the Network
Requirements that may only affect a portion of the network include:
– Improving Internet connectivity and adding bandwidth
– Updating Access Layer LAN cabling
– Providing redundancy for key services
– Supporting wireless access in defined areas
– Upgrading WAN bandwidth
ITE PC v4.0Chapter 1 17© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
What happens at the Core Layer?Core Layer = network backbone
Routers and switches at the Core Layer provide high-speed connectivity
May connect multiple buildings or multiple sites, as well as provide connectivity to the server farm
Support Internet, Virtual Private Networks (VPNs), extranet, and WAN access
ITE PC v4.0Chapter 1 18© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
What happens at the Core Layer?
Goals of the Core Layer–Provide 100% uptime
–Maximize throughput
–Facilitate network growth
ITE PC v4.0Chapter 1 19© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
What happens at the Core Layer?
Core Layer Technologies:–Routers or multilayer switches that combine routing and switching in the same device
–Redundancy and load balancing
–High-speed and aggregate links
–Routing protocols that scale well and converge quickly, such as Enhanced Interior Gateway Routing Protocol (EIGRP) and Open Shortest Path First (OSPF) protocol
ITE PC v4.0Chapter 1 20© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
What happens at the Core Layer?
ITE PC v4.0Chapter 1 21© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Network Traffic Prioritization
• Network Designers
• strive to provide a network that is resistant to failures and can recover quickly in the event of a failure
ITE PC v4.0Chapter 1 22© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Network Traffic Prioritization
Redundant components
Costly but worth the investment
Core layer devices
hot-swappable components - reduces repair time and disruption to network services
Generators and large UPS devices - prevent minor power outages from causing large-scale network failures
ITE PC v4.0Chapter 1 23© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Network Traffic Prioritization
Reducing Human Error
failures are the result of poorly planned, untested updates or additions of new equipment
never make a configuration change on a production network without first testing it in a lab environment!
failures at the Core Layer cause widespread outages – plan a back-out strategy to return the network to its previous state if changes are not successful
ITE PC v4.0Chapter 1 24© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Network Convergence
Network convergence = all routers have complete and accurate information about the network.
•faster the convergence time, the quicker a network can react to a change in topology. •Factors:
• routing update speed • calculation time for best paths
ITE PC v4.0Chapter 1 25© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Network Convergence
• Dependent on Routing Protocol
• Static links and dynamic links
• PT 1.2.3.2 – Observing Network Convergence
ITE PC v4.0Chapter 1 26© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
What happens at the Distribution Layer? routing boundary
between the Access Layer and the Core Layer
serves as a connection point between remote sites and the Core Layer
built using Layer 3 devices - routers or multilayer switches, provide many functions that are critical for meeting the goals of the network design
ITE PC v4.0Chapter 1 27© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
What happens at the Distribution Layer?
Filtering and managing traffic flows
Enforcing access control policies
Summarizing routes before advertising the routes to the Core
Isolating the Core from Access Layer failures or disruptions
Routing between Access Layer VLANs
ITE PC v4.0Chapter 1 28© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
What happens at the Distribution Layer?
Trunk links are often configured between Access and Distribution Layer networking devices.
Redundant links exist between devices in the Distribution Layer, the devices can be configured to load balance the traffic across the links.
Distribution Layer networks are usually wired in a partial mesh topology. (provides enough redundant paths to ensure that the network can survive a link or device failure)
ITE PC v4.0Chapter 1 29© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Limiting the scope of network failures
ITE PC v4.0Chapter 1 30© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Limiting the scope of network failures
Switch Block - Routers, or multilayer switches, are usually deployed in pairs, with Access Layer switches evenly divided between them.
Each switch block acts independently of the others.
The failure of a single device does not cause the network to go down. Even the failure of an entire switch block does not impact a significant number of end users.
ITE PC v4.0Chapter 1 31© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Building a redundant Network
Redundancy at the Distribution Layer
Providing multiple connections to Layer 2 switches can keep the network from failing
STP (Spanning Tree Protocol) guarantees that only one path is active between two devices.
ITE PC v4.0Chapter 1 32© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Building a redundant Network
STP guarantees that only one path is active between two devices
If one of the links fails, the switch recalculates the spanning tree topology and automatically begins using the alternate link
Rapid Spanning Tree Protocol (RSTP), provides rapid convergence of the spanning tree
ITE PC v4.0Chapter 1 33© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Building a redundant Network
A high volume, enterprise server is connected to a switch port
STP could cause the server to be down for 50 seconds
A faulty power supply causes the device to reboot unexpectedly - BAD
ITE PC v4.0Chapter 1 34© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Traffic Filtering at Distribution Layer
The router examines each packet and then either forwards or discards it, based on the conditions specified in an Acces Control List (ACL)
Standard ACLs filter traffic based on the source address
Extended ACLs can filter based on multiple criteria including:–Source address
–Destination address
–Protocols
–Port numbers or applications
–Whether the packet is part of an established TCP stream
ITE PC v4.0Chapter 1 35© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Traffic Filtering at Distribution Layer
ITE PC v4.0Chapter 1 36© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Traffic Filtering at Distribution Layer
ITE PC v4.0Chapter 1 37© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Traffic Filtering at Distribution Layer
ITE PC v4.0Chapter 1 38© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Traffic Filtering at Distribution Layer
ITE PC v4.0Chapter 1 39© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Traffic Filtering at Distribution Layer
Complex ACLs– Dynamic ACL
• requires a user to use Telnet to connect to the router and authenticate
• referred to as "lock and key" because the user is required to login in order to obtain access.
– Reflexive ACL
• allows outbound traffic and then limits inbound traffic to only responses to those permitted requests.
– Time-based ACL
• permits and denies specified traffic based on the time of day or day of the week.
ITE PC v4.0Chapter 1 40© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Standard Access-Lists
Activity – 1.3.4.2
ITE PC v4.0Chapter 1 41© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Standard Access-Lists Activity – 1.3.4.2
ITE PC v4.0Chapter 1 42© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Routing Protocols at the Distribution Layer
Route Summarization
One route in the routing table that represents many other routes, creating smaller routing tables
Less routing update traffic on the network
Lower overhead on the router
ITE PC v4.0Chapter 1 43© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Routing Protocols at the Distribution Layer
Activity 1.3.5.2 - SUMMARIZATION
ITE PC v4.0Chapter 1 44© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
What happens at the access layer?
Access Layer
Uses Layer 2 switching technology to provide access into the network.
Access through a permanent wired infrastructure or through wireless access points
ITE PC v4.0Chapter 1 45© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
What happens at the access layer?
Wiring Closets
actual closets or small telecommunication rooms that act as the termination point for infrastructure cabling within buildings or within floors of a building
ITE PC v4.0Chapter 1 46© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
What happens at the access layer? Many different devices can connect to an IP network,
including:– IP telephones
– Video cameras
– Video conferencing systems
ITE PC v4.0Chapter 1 47© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
What happens at the access layer? Access Layer management is crucial due to:
– increase in the number and types of devices connecting at the Access Layer
– introduction of wireless access points into the LAN
– designing for manageability
In addition to providing basic connectivity at the Access Layer, the designer needs to consider:
– Naming structures
– VLAN architecture
– Traffic patterns
– Prioritization strategies
ITE PC v4.0Chapter 1 48© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Network Topologies at Access Layer
The disadvantages of a star topology are significant:
– The central device represents a single point of failure.
– The capabilities of the central device can limit overall performance for access to the network
– The topology does not recover in the event of a failure when there are no redundant links
Ethernet star topologies usually have a combination of the following wiring:
– Twisted pair wiring to connect to the individual end devices
– Fiber to interconnect the access switches to the Distribution Layer devices
ITE PC v4.0Chapter 1 49© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
How VLANs Segregate Traffic?
Using VLANs and IP subnets is the most common method for segregating user groups and traffic within the Access Layer network
VLANs are used to separate and classify traffic streams and to control broadcast traffic within a single wiring closet or building
ITE PC v4.0Chapter 1 50© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
How VLANs Segregate and Control Network Traffic?
Without VLAN
ITE PC v4.0Chapter 1 51© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
How VLANs Segregate and Control Network Traffic?
With VLAN
ITE PC v4.0Chapter 1 52© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Services at the Network Edge
Quality of Service
•Networks must provide secure, predictable, measurable and, at times, guaranteed services
•Networks also need mechanisms to control congestion when traffic increases
•Congestion is caused when the demand on the network resources exceeds the available capacity
ITE PC v4.0Chapter 1 53© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Services at the Network Edge
ITE PC v4.0Chapter 1 54© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Security at the Network Edge
Security Risks at the Access Layer
ITE PC v4.0Chapter 1 55© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Security at the Network Edge
How Can the Network Designer Improve Security?– Permitting network access to only known or authenticated
devices
– Apply wireless security measures that follow recommended practices.
– Locking wiring closets and restricting access to networking devices (physical security)
– Cameras or motion detection devices and alarms.
ITE PC v4.0Chapter 1 56© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Security at the Network Edge
Hands-on Lab 1.4.5.2 – Identifying Network Vulnerabilities
ITE PC v4.0Chapter 1 57© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Security Measures
Securing Access Layer Networking Devices– Setting strong passwords
– Using SSH to administer devices
– Disabling unused ports
– Switch port security and network access control can ensure that only known and trusted devices have access to the network
ITE PC v4.0Chapter 1 58© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Security Measures
Hands-on Lab 1.4.6.2 – Gaining Physical Access to the Network
Hands-on Lab 1.4.6.3 – Implementing Switch Port Security
ITE PC v4.0Chapter 1 59© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
What is a server farm?
Server farms are typically located in computer rooms and data centers (email, web, etc.)
Network traffic enters and leaves the server farm at a defined point ( easier to secure, filter, and prioritize traffic)
Redundant, high-capacity links can be installed to the servers as well as between the server farm network and the main LAN
Load balancing and failover can be provided between servers and between networking devices
ITE PC v4.0Chapter 1 60© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
What is a server farm?
ITE PC v4.0Chapter 1 61© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
What is a server farm?
ITE PC v4.0Chapter 1 62© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
PT Activity 1.5.1.2 – Observing and Recording Server Traffic
ITE PC v4.0Chapter 1 63© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Security, Firewalls and DMZs
Protecting Server Farms Against Attack
– Firewalls
– LAN switch security features
– Host-based and network-based intrusion detection and prevention systems
– Load balancers
– Network analysis and management devices
ITE PC v4.0Chapter 1 64© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Security, Firewalls and DMZs
Demilitarized Zones
In the traditional network firewall design, servers that needed to be accessed from external networks were located on a demilitarized zone (DMZ)
Users accessing these servers from the Internet or other untrusted external networks were prevented from seeing resources located on the internal LAN
ITE PC v4.0Chapter 1 65© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Security, Firewalls and DMZs
ITE PC v4.0Chapter 1 66© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Security, Firewalls and DMZs
Protecting Against Internal Attacks
Attacks originating on the internal network are now more common than attacks from external sources
A layer of firewall features and intrusion protection is required between the servers and the internal networks, as well as between the servers and the external users
ITE PC v4.0Chapter 1 67© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Security, Firewalls and DMZs
ITE PC v4.0Chapter 1 68© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Providing High Availability
A highly available network is one that eliminates or reduces the potential impact of failures.
This enables the network to meet requirements for access to applications, systems, and data from anywhere, at any time.
ITE PC v4.0Chapter 1 69© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Providing High Availability
Building in Redundancy
To achieve high availability, servers are redundantly connected to two separate switches at the Access Layer
This redundancy provides a path from the server to the secondary switch if the primary switch fails
ITE PC v4.0Chapter 1 70© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Providing High Availability
Virtualization
Many separate logical servers can be located on one physical server
The physical server uses an operating system specifically designed to support multiple virtual images
ITE PC v4.0Chapter 1 71© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Considerations unique to WLAN Will wireless roaming be required?
What authentication for users is needed?
Will open access (hotspots) be provided for the guests?
Which network services and applications are available to wireless users?
What encryption technique can be used?
Are wireless IP telephones planned?
Which coverage areas need to be supported?
How many users are in each coverage area?
ITE PC v4.0Chapter 1 72© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Considerations unique to WLAN
ITE PC v4.0Chapter 1 73© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Considerations unique to WLAN
Physical Network Design
Focuses on the physical coverage areas of the network.
The network designer conducts a site survey to determine the coverage areas for the network and to find the optimum locations for mounting wireless Access Points
ITE PC v4.0Chapter 1 74© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Considerations unique to WLAN
Logical Network Design
Provide different levels of access to different types of wireless users. In addition, wireless networks must be both easy to use and secure.
– Open wireless access for their visitors and vendors
– Secured wireless access for their mobile employees
– Reliable connectivity for wireless IP phones
ITE PC v4.0Chapter 1 75© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Considerations unique to WLAN
Open Guest Access
Typically is not Wired Equivalent Privacy (WEP) or Wi-Fi Protected Access (WPA) encrypted.
To help guest users connect to the network, the Access Point service set identifier (SSID) is broadcast.
Many hotspot guest systems use DHCP and a logging server to register and record wireless use.
Guest users typically access the wireless network by opening a browser window and agreeing to a specified usage policy.
ITE PC v4.0Chapter 1 76© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Considerations unique to WLAN
Secured Employee Access
Use an entirely separate WLAN infrastructure that does not include guest access. The recommended practice is to separate the internal users on a different VLAN.
– Non-broadcast SSID
– Strong encryption
– User authentication
– Virtual Private Network (VPN) tunneling for sensitive data
– Firewall and intrusion prevention
– MAC address filtering can be used to limit access.
ITE PC v4.0Chapter 1 77© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Considerations unique to WLAN
ITE PC v4.0Chapter 1 78© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Considerations unique to WLAN
ITE PC v4.0Chapter 1 79© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Design Considerations at enterprise edge
Cost of Bandwidth
QoS (managing the queuing of data)
Security
Remote Access
ITE PC v4.0Chapter 1 80© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Integrating Remote sites into the network Design Leased lines
Circuit-switched networks
Packet-switched networks, such as Frame Relay networks
Cell-switched networks such as Asynchronous Transfer Mode (ATM) networks
ITE PC v4.0Chapter 1 81© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Integrating Remote sites into the network Design
Remote workers
Mobile workers
Branch employees
Virtual Private Networks
ITE PC v4.0Chapter 1 82© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Redundancy and backup links
Redundancy is required on WAN links and is vitally important to ensure reliable connectivity to remote sites and users.
For a WAN, backup links provide the required redundancy. Backup links often use different technologies than the primary connection. This method ensures that if a failure occurs in one system, it does not necessarily affect the backup system.
ITE PC v4.0Chapter 1 83© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Redundancy and backup links
Load Sharing
In addition to providing a backup strategy, redundant WAN connections can provide additional bandwidth through load sharing. The backup link can be configured to provide additional bandwidth all of the time or during peak traffic time only.
ITE PC v4.0Chapter 1 84© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
CCNA Discovery 4.0Designing and Supporting Computer
Networks
Introducing Network Design Concepts– Chapter 1